Episode127

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

Sponsors

Core Security

This episode is sponsored by Core Security Technologies, helping you penetrate your network. Rock out with your 'sploit out and check out the client side exploit and web application testing modules! Listen to this podcast and qualify to receive a 10% discount on Core Impact, worlds best penetration testing tool.

Tenable Network Security

This podcast is also sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notibly the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Direct Feed subscription for immediate access to new Nessus plugins, and compliance checks” Tenable – Unified Security Monitoring!

Astaro

Astaro offers the most complete and easy to use Internet security appliances available. The products combine best of breed applications, the proven quality of Linux and enterprise level performance, providing the latest protection with the best total cost of ownership. All products are available as software, hardware or virtual appliances, which allows users the flexibility to meet a wide variety of deployment scenarios.

One of the best things about Astaro is that it offers its products completely free for home use. All enterprise features and all subscriptions, including virus scanning, web content filtering, email filtering and VPN clients, are available in the home license for no cost. All you have to do is visit www.astaro.com, register, download the software and obtain the key, which protects up to 10 IPs. There are no sales people to talk to, no payment information to enter—it’s just free. Again, visit www.astaro.com for more information or to download the product and free home user license.

Announcements & Shameless Plugs

Welcome to Security Weekly, Episode 127 for October 23rd, 2008. A show for security professionals, by security professionals.

  • Security Weekly SANS Click-Through - Go there, register for fabulous SANS training! Go now!
  • ChicagoCon - October 27 - November 1, Talks by Ed Skoudis, Gregory Conti West Point, Author of "Security Data Visualization", Daniel V. Hoffman CTO SMobile Systems, EH-Net Columnist, Billy Rios/John Walton Microsoft Pen Testers (Blue Hat)
  • Phreaknic 12 in Nashville TN this weekend, Friday Oct 24 - Sunday Oct 26. The cover charge is 20 bucks. http:///www.phreaknic.info for more details.
  • This week we have a Book Giveaway from No Starch Press, a copy of Hacking: The Art of Exploitation, 2nd Edition. E-mail the answer to our question to psw@securityweekly.com. First correct answer, with supporting documentation to that address wins!

Episode Media

mp3 pt 1

mp3 pt 2

Tech Segment: Information gathering with Kismet - Hacker on a plane!

I recently was able to meet up with Bob while he was on the run. He told me that he was on a long flight recently headed in to Boston several weeks back (he's gotta keep on the move!), and he decided to fire up Kismet for some passive captures while on the plane. He let it run for an hour or so, and passed the captures to me for analysis. I trimmed them down to just spit out some interesting stuff that we can use for this example.

We'll replay them with tcpdump:

$ tcpdump -r bobs_intersting_packets

...and we get a bunch of probe requests. We've talked bout this ad-nauseum before. This is why we love Karma (and Karmetasploit). Windows (and other OSes, even some gaming consoles), automatically tries to connect to wireless networks in the preferred network lists. Kismet can then see those connect requests as the OS cycles through the list.

So, here's the first list from the first capture from the same MAC address:

16:32:04.483854 Probe Request (Free Public WiFi) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:32:06.763062 Beacon (Free Public WiFi) [1.0* 2.0* 5.5 11.0 Mbit] IBSS CH: 11
16:32:11.977047 Probe Request (Hyatt) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:32:13.978262 Probe Request (fcc) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:32:16.071853 Probe Request (Lake) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:32:18.130698 Probe Request (public1) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:32:20.099906 Probe Request (The Point) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:32:22.069924 Probe Request (REDZONE) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:32:24.085280 Probe Request (belkin54g) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:32:26.115367 Probe Request (hhonors) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:32:28.146203 Probe Request (GlobalSuiteWireless) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:32:30.084600 Probe Request (1811) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:32:32.092157 Probe Request (Wayport_Access) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:32:34.118208 Probe Request (guestnet) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:32:36.123724 Probe Request (FourSeasons) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:32:38.138125 Probe Request (killington) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:32:42.153053 Probe Request (Hotel Griffon) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:32:46.160227 Probe Request (RGPublic) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:32:50.115316 Probe Request (oakbluffs) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:32:52.122565 Probe Request (Cuttyhunk) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:32:54.175486 Probe Request (MARYA) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:32:56.131065 Probe Request (mattapoisett) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:32:58.131358 Probe Request (linksys) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:33:00.137978 Probe Request (HBS) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]

Now, go log in to wigle.net and search for some of the more unusual SSIDs. What do you want to bet we can figure out where this particular person lives/works/plays based on where they show up on the map. Then add the more common names to the list, and you can bet that they show up in those same two neighborhoods as well. Yes, several of them show up in very close proximitiy spread out over to distinct neighborhoods.

The second capture Bob provided also had more interesting SSIDs, just in case we REALLY wanted to triangulate:

16:26:51.357853 Probe Request (ibahn) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:26:53.106024 Probe Request (Elysium) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:26:57.259488 Probe Request (JFKRL) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:26:59.080305 Probe Request (phspiaguest) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:27:03.281251 Probe Request (needadog) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:27:05.260271 Probe Request (guest_ssid) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:27:09.408208 Probe Request (NUwave) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:27:11.080215 Probe Request (SpotOn) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:27:13.233782 Probe Request (holden) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:27:15.484724 Probe Request (SMC) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:27:17.131279 Probe Request (Wayport_Access) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:27:19.183281 Probe Request (Seaport) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:27:21.182520 Probe Request (Hynes Wireless Network) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:27:23.146459 Probe Request (iscguest) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:27:25.096483 Probe Request (LawLibrary) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:27:27.095193 Probe Request (roofnet) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:27:29.176267 Probe Request (in4net) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:27:33.146455 Probe Request (Harvard University) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:27:35.185946 Probe Request (default) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:27:37.613369 Probe Request (Back Bay Events Center) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:27:39.170252 Probe Request (Algonquin Club WiFi) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:27:43.587718 Probe Request (BostonPublicLibrary) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:27:45.285541 Probe Request (loganwifi) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:27:47.388067 Probe Request (CRS WAP) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:27:49.336783 Probe Request (HCBostonMember) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:27:51.285535 Probe Request (Linksys Secure) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:27:53.285419 Probe Request (Warehouse) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]

From Bob's capture, and again from the same MAC address, we also are able to capture some interesting network traffic. We can use this information in conjunction with the wireless info to create an even more detailed picture about the individual:

16:36:08.526921 IP 0.0.0.0.bootpc > broadcasthost.bootps: BOOTP/DHCP, Request from 00:1e:52:b6:19:9b (oui Unknown), length 300
16:36:10.307924 IP 169.254.140.137 > 224.0.0.251: igmp v2 report 224.0.0.251
16:36:12.949124 IP 169.254.140.137.mdns > 224.0.0.251.mdns: 0*- [0q] 1/0/0 (Cache flush) A 169.254.140.137 (40)
16:36:37.923110 arp who-has 10.71.0.123 tell 10.71.0.123
16:36:43.001662 IP 10.71.0.123.netbios-ns > 10.71.15.255.netbios-ns: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
16:36:49.532485 IP 169.254.44.240.netbios-ns > 169.254.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
16:46:53.719602 IP 169.254.44.240.netbios-ns > 169.254.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
16:47:21.229266 IP 169.254.44.240.netbios-ns > 169.254.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST

For some reason, Wireshark displayed some interesting domain information in the netbios requests. I suspect that I exported the packtes wrong, so the info isn't shown with the tcpdump output, but here they are in Wireshark:

http://www.securityweekly.com/wiki/images/Interesing_nbt.png

Now, what else can we assume about the individual, and potential network/desktop policies in play?

On an unrelated note, Bob also picked up an MDNS request:

16:48:51.923694 IP 169.254.221.155.mdns > 224.0.0.251.mdns: 0 [1n] ANY (QU)? Maggie-s-iPod-touch.local. (59)

I wonder if we could then have some fun with MDNS and Maggie's device? What about when it gets synced with her workstation? Can we have some fun with that too?

Interview: "Weld_Pond", "Dildog"

History

The story begins with the "L0pht", founded in 1992 in the Boston area for its members to store their computer hardware and work on various projects (a "hacker space"). Many then quit their day jobs to start L0pht Heavy Industries (wow, I have something in common :), most famous for L0phtcrack, a tools to crack and brute force Windows passwords. On May 19, 1998, all seven members of L0pht (Brian Oblivion, Kingpin, Mudge, Space Rogue, Stefan Von Neumann, John Tan, and Weld Pond) famously testified before the Congress of the United States that they could shut down the entire Internet in 30 minutes.

In January 2000, L0pht Heavy Industries merged with the startup @stake, completing the L0pht's slow transition from an underground organization into a "whitehat" computer security company.

Veracode was founded in 2006 by a world-class team of application security experts from @stake, Guardent, Symantec, and VeriSign.

On March 14, 2008, several members of L0pht sat at a panel at a standing-room-only group of InfoSec professionals at SOURCE:Boston. Present were Weld Pond, John Tan, Mudge, Space Rogue, Silicosis and Dildog.

Interviewees

With us today we are very honored to be joined by two former members of the L0pht and one member from @stake. Please welcome:

  • Chris Rioux (aka Dildog) - Currently the Veracode Co-Founder and Chief Scientist, Chris, an MIT graduate, was one of the original L0pht members and responsible for projects such as BUTTsniffer and backorifice.
  • Chris Wysopal (aka Weldpond) - Currently the Veracode Co-Founder and Chief Technology Officer, Chris was the co-author of the L0phtcrack application, and other such notable projects that I'm sure many of us have used once or twice, such as netcat.

Questions

  • So, while we can read it on Wikipedia, lets go around and have everyone briefly describe how they broke into the field of computer security.
  • What kind of projects were you working on when you first created the L0pht?
  • What was the driving factor behind going off on your own? What kind of problems and challenges did you encounter?
  • Tell us, and the audience, about L0pht crack, why was it such a significant tool at the time? Why was it discontinued, and how is it different from John the Ripper?
  • Tell us about the transition from L0pht, to @stake to Symantec to Veracode...
  • What kinds of penetration testing did you do @stake?
  • So, there are all of these vulnerable web applications, what do we do about the problem? What is the crux of the issue?
  • What are some of the vulnerabilities that we should be most concerned about and what should we do to fix them?

Chris Rioux

  • Back orifice was a creation that I, I mean Bob, had great amounts of fun with in college. Of course the name at the time was priceless, including the plugin architecture. What was your original motivation for writing?
  • What are your thoughts on security management and testing tools being classified as "hacker tools"? Do you control the distribution? Do you open it up? Do you make them illegal, no matter what they are called?

Chris Wysopal

  • OMG NETCAT!
  • What was your original intent on writing the network swiss army knife?
  • Netcat code has remained pretty static over the last few years, and other have taken the spear head to for the project for a few things (SSL, windows, etc). Is there any further development of netcat in your future?
  • Your thoughts on responsible disclosure?

All

  • What's shaking at Veracode? Any interesting projects?
  • On application security testing. What's so important about including security review in the software development life cycle? Why doesn't it happen? Where did we (traditionally) fall down on this; is it higher ed, lack of training, the environment (ship it!)?
  • So, tell us about SOURCE Boston....

Stories For Discussion

MS08-067 - Vulnerability in Server Service Could Allow Remote Code Execution - Microsoft released an out of band patch today (Oct 23, 2008). This vulnerability affects all currently supported versions of Windows. Windows XP and older versions are rated as “Critical” while Windows Vista and newer versions are rated as “Important”. Because the vulnerability is potentially wormable on those older versions of Windows, Microsoft recommends that you test and deploy the patch as soon as possible. The Microsoft SVRD blog has a nice write-up containing information on mitigation and protection.

Community Blog Posting - Securing Cisco Routers The Easy Way - [Paul] - Router hardening is really important, when will Cisco start shipping routers with these settings in place by default? So like, why can't a Cisco router ask you for both a username and password when is first starts up?

Blue Hat no tech attack - [Larry] - Roelof demos Paterva at Blue Hat, and talks about putting together those little bits that can tie people together - no tech, just some investigative skills. the example I liked was related to PGP - if you can determine the one person exchanges e-mails with 5 people with PGP, it says something about the relation ship. I also like to think about who signed my PGP key - it implies a level of trust. If the person is "well known", you can make some determinations about the type of conversation, and whom to spoof e-mails from.

Community Blog Posting - Installing Mod_Security - [Paul] - I need to implement these features on my web sites. Its extremely critical that you are implementing some sort of WAF in your environment. I can't stress this enough, yes, the filtering can be bypassed, but it prevents the low hangin' fruit from being plucked. Apps will always come into production with some level of insecurity (<- yes loaded statement ;)

Myley Cyrus hacker raided - [Larry] - This is what happens when you get cocky, and brag  :-) Either way, apparently the way it all started out by the attacker creating an IM account with a name of a myspace co-worker. A little social engineering, an exchange of password, and a week and a half of un-monitored activity with the myspace admin accounts gathered account passwords allegedly in clear text. Several questions: no social engineering training? what about policies on sharing IDs and passwords? System monitoring for unauthorized use? Storing recoverable passwords in clear text? Using standard, potentially unsecured IM services for business communications? Yikes on all accounts.

Listen to the keystrokes man, they are talking to you - [Paul] - If this is for real, it looks way cool. Couple of things to note, you probably won't be able to get the receiver at Radio Shack (can you?), second, notice how hard each key is pressed, third other forms on interference cause this not to work. So, I wonder, what would a device look like that could scramble your keystrokes? Maybe Lada ADA can whip one up as a kit...

/etc/rc.d/pants status - [Larry] - Depant is a new tool form Midnight Research Labratories that scans your network for services using default passwords. It uses nmap and hydra to test devices. You can add your own password lists. Not a bad idea to try out every once in a while to hunt down those devices that get installed on your network either in a rogue fashion (and improperly configured), or devices that are improperly configured. Here is a link to the actual *pants* init script just in case you need to check your status ;-) [byte_bucket] [Paul] - Just as an FYI, there are Nmap NSE scripts that do this, and there are even built-in functions for NSE for this purpose. I think Nmap is a much better approach for testing default passwords, cuz like, well, they run Nmap first anyhow, why not just extend it with NSE? This is a perfect project for NSE, not that I am working and testing, er.. I mean..

The End-User Security Struggle - Can we just get rid of attachments? - [Paul] - There is a tried and true method to delivering malware to the user's desktop, send them a Word doc or PDF document. Can you really expect that your HR department will not open these documents to review people's resumes? And while anti-virus software may be catching the not-so-latest published trojans, are they detecting the specially crafted backdoor or latest A/V evasion methods? As we've seen in our tests with some metasploit payloads and tools like pescrambler, definitely not. In fact, AVG seems to be the best at picking up most stuff and its free!

2 legged stool? - [Larry] - Many say that security is a 3 legged stool: Secure, usable, cheap - pick two. From this article, it seems that may users are circumventing the security that has been put in place, because the usability is lacking, onerous, or adds an extra step. I'm wondering, is there really a way to achieve a balance? [Paul] - My take on this, the user IS the vulnerability. Yes, "There is no patch for human stupidity", which is why its always a fun one to exploit. One way, not a very nice thing to do, but have penalties for users who get malware installed. Right now, most companies don't, if you get malware you get a personal visit from the help desk and a pat on the back, "Its okay, I'll fix it for you". How about, "You suck at the Internet, now you have to use Linux".

0wning a network with a soldering Iron - [Larry] (Link at Matasano down on 10/23/08 due to hardware failure) Don't fear the hardware! A protocol guy got up the gumption to build a serial tap, and after a week was able to reverse engineer the proprietary protocol, and take complete control of the affected system. if you own the hardware, you can 0wn the hardware!

Windoze Command Line Kung F00 - [Paul] - This is a great reference! It would be great to script most of these commands and run them automatically once a host has been compromised. It would be neat to do this via meterpreter, maybe using IRB.

Other Stories Of Interest

Beer cures cancer!


USB Authenticating Deadbolt